Reha is one of the DJVU ransomware variant discovered by Michael Gillespie aka Demonslay335. Just like a typical ransomware, it prevents access to files by encrypting it using complex algorithm. The only way the user to open the file is paying a ransom fee to developers. Reha ransomware renames the encrypted files by adding extension .reha. Therefore photo.jpg will become photo.jpg.reha. A text file named _readme.txt also appears with a message from Reha developers notifying the victims on how to decrypt important files.
What is the Reha text file consisting of?
Typically, the text file contains the instructions or demand of Reha authors. A ransom fee is ranging from $490 to $980 and this cost varies depending on terms and conditions of Reha developers. Nevertheless, sometimes forcing the victims to purchase a tool or key to decrypt the files is the way of cyber criminals to generate money from this kind of scheme. Appropriate decryption tools or key is necessary to recover the encrypted files. Unfortunately, developers of Reha can only provide this to the victims as of this moment. People behind the ransomware virus demanded that victims must contact them through email address presented on the ransom note within 72 hours.
How Reha ransomware infect computers?
As usual, Reha ransomware can get through computers by means of spam email campaigns, untrustworthy download sites, fake software updates, or even activating tools. Through email campaigns, Reha developers attached malicious files and once it is opened or clicked it will automatically install malicious software. The best example of files that can infect computer includes:
- PDF documents
- Executable files (.exe.)
- Archive files (RAR and ZIP)
- Microsoft documents (.doc, .xls, .ppt)
Reha ransomware is also possibly comes from clicked ads from untrustworthy download sites that supports false updates or search results.
Infection Signs and Recovery of Reha Encrypted Files
User’s files or documents are inaccessible once it is encrypted by Reha ransomware virus. Previously functional files are renamed and locked. A demand message from Reha developers is generated for the perusal of its victims. A ransom fee must be paid generally in exchange of recovering the entire Reha decrypted files.
To restore from a backup file is the only alternative way to recover corrupted files without having to pay the ransom fee or purchasing a tool from Reha developers. Note that all important documents should properly store in a safe media because we can never know how and when these cyber criminals would attack.
How to Remove Reha Ransomware
Ransomware files are placed deeply into the system and on various locations, thus, thorough scanning is vital to totally remove Reha virus. Aside from our suggested tool, you may also run your own security program.
Though affected files may be impossible to decrypt due to complexity of the encryption, you can still try recovery method like alternative tool, Shadow Explorer or Previous Version as described below.
Stage 1: Scan the Computer with Anti-Malware Tool
1. Download free anti-malware scanner called MalwareBytes Anti-Malware.
Malwarebytes Anti-Malware Download Link (this will open a new window)
2. After downloading, install the program. It may run automatically or you have to double-click on the downloaded file MBSetup.exe.
3. Carry out the installation with default setup process.
4. After the installation process, click the Get Started button to launch the program.
5. Continue with the prompts until the main program opens.
6. On the main console, click on Scan to run most complete detection method to find hidden objects associated to Reha ransomware.
7. Scanning may take a while. Please wait until the anti-malware tool is done with the checking.
8. Once the scan has completed, the tool will display the list of detected threats. Remove all identified malicious items and restart the computer if necessary.
Stage 2: Double-check for Reha’s leftover with Microsoft’s Malicious Software Removal Tool
1. Download the free scanner called Malicious Software Removal Tool.
Malicious Software Removal Tool Download Link (this will open a new window)
2. The tool automatically checks the operating system and suggest appropriate download version. Click on Download button to begin. Save the file to a convenient location, preferably on Desktop.
3. After downloading the file, Windows will prompt that download has completed. Click Run to start scanning for Reha ransomware. Another option is to browse the location folder and double click on the file to run.
4. The tool will display Welcome screen, click Next. Please note the message “This tool is not a replacement for an antivirus product.” You must understand that this program is made specifically to find and remove malware, viruses, Trojans, and other harmful elements on the computer. It was not designed to protect the computer.
5. Next, you will see Scan Type. Please choose Full Scan to ensure that all Reha ransom virus entities and other harmful files left on the computer will be found and removed. For advanced computer user, you can opt for Customized Scan, if there are other drives or folders you wanted to include in this scan.
6. Full scan may take a while, please wait for Malicious Software Removal Tool to complete the tasks. However, you may cancel the scan anytime by clicking on the Cancel button.
7. After scanning, the tool will reveal all identified threats. There may be other threats that our first scan fails to detect. Please remove/delete all detected items.
8. When removal procedure is complete, you may now close Malicious Software Removal Tool. We hope that Reha ransomware have been completely deleted from the computer. Please restart Windows to proceed with the normal operation.
Stage 3 : Unlocking files with Reha Decryption Tool
Tools that may decrypt files infected by Reha is not yet available at this time. We will update this section once the tool is on hand. In the meantime, please try the options below.
Option 1: Windows Previous Version Tool
Windows Vista and Windows 7 have a feature called Previous Versions. However, this tool is only usable if restore point was made prior to Reha ransomware infection. To use this tool and recover files affected by the virus, please follow these steps:
1. Open My Computer or Windows Explorer.
2. Right-click on the affected files or folders. From the drop-down list, please click on Restore previous versions.
3. New window will open display all backup copy of files and folders you wanted to recover. Choose the appropriate file and click on Open, Copy, or Restore. Restoring selected files overwrites the current encrypted files on the computer.
Option 2: Use ShadowExplorer to restore files encrypted by Reha Ransomware
Just like Previous Version tool, ShadowExplorer is taking advantage of shadow copy created by Windows. This tool allows you to retrieve older version of files before it was encrypted by Reha ransomware.
1. Download ShadowExplorer from the official web site.
2. Install the program with the default settings.
3. The program should run automatically after installation. If not, double-click on ShadowExplorer icon.
4. You can see the drop-down list on top of the console. Please select proper drive and the most recent point-in-time shadow copies of files you wish to restore prior to Reha ransomware infection.
5. Right-click on the Drive, Folder, or File you wish to restore and click Export…
6. Lastly, ShadowExplorer will prompt for location where you want to save the copy of recovered files.